Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. Data Warehouse

Introducing SQL Audit Logs for Fabric Data Warehouse

Introducing SQL Audit Logs for Fabric Data Warehouse, a powerful new feature designed to enhance security, compliance, and operational insights for our users.

The Role of SQL Audit Logs in Fabric Data Warehouse Security

SQL Audit Logs in Microsoft Fabric Data Warehouse provide a comprehensive and immutable record of all database activities, capturing critical details such as the event timestamp, the user or process that triggered the action, and the executed T-SQL statements. These logs play a vital role in ensuring security and compliance by maintaining a transparent record of operations, helping organizations meet industry standards and regulatory mandates.

By preserving a complete history of database interactions, audit logs enhance accountability and provide essential data for forensic investigations.
Beyond compliance, SQL Audit Logs also serve as a powerful tool for database administrators and security teams. They help identify unauthorized access attempts, detect anomalous behavior that may indicate malicious activity, and support proactive threat mitigation. Additionally, analyzing these logs enables performance optimization, aids in debugging operational issues, and provides insights into usage patterns, helping organizations refine their security policies and database management strategies.

How to use SQL Audit Logs

Enabling SQL Audit Logs is straightforward Users with the ‘Audit’ permission can enable audit logs using a simple API call. By default, users’ part of Admin workspace roles receives the Audit permissions additionally, this permission can be shared to other users, by choosing the Audit option on share dialog:


Example 1: Enabling SQL Audit Logs with the API

To enable SQL Audit Logs for your Fabric Data Warehouse, you can use the following PATCH API call.

Firstly, we input the header for our API call: 

PATCH https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/warehouses/{warehouseId}/settings/sqlAudit

On body: 

{
  "state": "Enabled",
  "retentionDays": "0"
}

Replace {workspaceId} and {warehouseId} with your corresponding workspace ID and warehouse ID of your Fabric Datawarehouse. Setting the state to “Enabled” will enable the audit logs, and the retentionDays parameter is set to 0 for unlimited retention, but you can change it based on your organization’s requirements.

Example 2: Adding Action Groups with the API

To add specific action groups to be audited, you can use the following POST API call.

First, let’s work on our header:

POST https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/warehouses/{warehouseId}/settings/sqlAudit/setAuditActionsAndGroups


Example Body:

[
"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP"
]


Replace {workspaceId} and {warehouseId} with your corresponding Fabric workspace ID and warehouse ID. The example above adds the DATABASE_OBJECT_PERMISSION_CHANGE_GROUP action group to the audit logs.

Once enabled, audit logs can be queried using the sys.fn_get_audit_file_v2 function to retrieve and analyze the recorded events.

Now, let’s take a look on how we can retrieve the audit events and stored on OneLake.

Example 3: Retrieving All Audit Records

To retrieve all audit records from a specific audit file, you can use the following query:

SELECT * FROM sys.fn_get_audit_file_v2(https://onelake.blob.fabric.microsoft.com/{workspaceId}/{warehouseId}/Audit/sqldbauditlogs/', DEFAULT, DEFAULT, '2023-11-17T08:40:40Z', '2023-11-17T09:10:40Z')

In this example the query retrieves all audit records from the specified audit file within the given time range. Replace the URL with the path to your audit file and adjust the time range as needed.

Example 4: Filtering Audit Records by Action

To filter audit records by a specific action, such as: DATABASE_OBJECT_PERMISSION_CHANGE_GROUP, you can use the following query:

SELECT * FROM sys.fn_get_audit_file_v2(https://onelake.blob.fabric.microsoft.com/{workspaceId}/{warehouseId}/Audit/sqldbauditlogs/', DEFAULT, DEFAULT, '2023-11-17T08:40:40Z', '2023-11-17T09:10:40Z') WHERE action_id = ' GRDO';

This query retrieves audit records for the DATABASE_OBJECT_PERMISSION_CHANGE_GROUP action within the specified time range. Again, replace the URL with the path to your audit file and adjust the time range as needed, also make sure you filter for actions to avoid dealing with long results sets, not related to the events you intent to audit.

Using specific action groups

Fabric Data Warehouse SQL Audit Logs rely on predefined action groups to capture specific events within the database. These action groups include operations such as database object access, permission changes, and schema modifications. By configuring these action groups, you can tailor the audit logs to capture the most relevant events for your organization.

Conclusion

While SQL Audit Logs provide significant benefits, it is important to be mindful of the potential impact on storage costs. Enabling broad audit action groups can generate large volumes of audit records, which may increase storage requirements. Therefore, it is crucial to carefully select the action groups and retention policies that align with your organization’s compliance and security requirements.

We are excited about the possibilities that SQL Audit Logs bring to Fabric Data Warehouse and look forward to seeing how our users leverage this feature to enhance their security and compliance efforts.

Stay tuned for more updates and detailed documentation on configuring and managing SQL Audit Logs in Microsoft Fabric Data Warehouse. Submit your feedback on Fabric Ideas and join the conversation on the Fabric Community.

Related blog posts

Introducing SQL Audit Logs for Fabric Data Warehouse

Blog's featured image

It’s Time! Announcing The Microsoft SQL Community Conference
November 10, 2025 by Arun Ulagaratchagan

SQL is having its moment. From on-premises data centers to Azure Cloud Services to Microsoft Fabric, SQL has evolved into something far more powerful than many realize and it deserves the focused attention of a big stage.  That’s why I’m thrilled to announce SQLCon, a dedicated conference for database developers, database administrators, and database engineers. Co-located with FabCon for an unprecedented week of deep technical content … Continue reading “It’s Time! Announcing The Microsoft SQL Community Conference”

Read more
Blog's featured image

ArcGIS GeoAnalytics for Microsoft Fabric Spark (Generally Available)
November 3, 2025 by Arshad Ali

Additional authors – Madhu Bhowal, Ashit Gosalia, Aniket Adnaik, Kevin Cheung, Sarah Battersby, Michael Park Esri is recognized as the global market leader in geographic information system (GIS) technology, location intelligence, and mapping, primarily through its flagship software, ArcGIS. Esri empowers businesses, governments, and communities to tackle the world’s most pressing challenges through spatial analysis. … Continue reading “ArcGIS GeoAnalytics for Microsoft Fabric Spark (Generally Available)”

Read more